> Hello.
>
> I successfully setup the chain overlay, so as to push changes from a
> slave to a master, with something as:
> overlay chain
> chain-uri "ldap://ldap1.domain.tld&quot;
> chain-idassert-bind bindmethod="simple"
> binddn="cn=chain,ou=roles,dc=domain,dc=tld"
> credentials="s3cr3t"
> mode="self"
> chain-idassert-authzFrom "*"
> chain-tls start
> chain-return-error TRUE
>
> I'm curious, tough, why the slave has to use a proxy identity to
> authenticate on the master, instead of reusing original query
> credentials. Is there something preventing it, or is just that all
> examples I found sofar were using it ?

If by "original query credentials" you mean those of the user that first
attempted the write operation that got chained, that user's credentials
are no longer available. That's why you must use a proxy ID that has the
authority to act on the original user's behalf.

Also, there is no guarantee the master can auth that user, if the lave
is not just a shadow of the master.